Abstract

Most security models for authenticated key exchange (AKE) do not explicitly model the associated certification system, which includes the certification authority and its behaviour. However, there are several well-known and realistic attacks on AKE protocols which exploit various forms of malicious key registration and which therefore lie outside the scope of these models. We provide the first systematic analysis of AKE security incorporating certification systems. We define a family of security models that, in addition to allowing different sets of standard AKE adversary queries, also permit the adversary to register arbitrary bitstrings as keys. For this model family, we prove generic results that enable the design and verification of protocols that achieve security even if some keys have been produced maliciously. Our approach is applicable to a wide range of models and protocols; as a concrete illustration of its power, we apply it to the CMQV protocol in the natural strengthening of the eCK model to the ASICS setting.

Mathematics Subject Classification

Notes

Acknowledgments

C. B. and D. S. were supported by Australian Research Council (ARC) Discovery Project DP130104304. C. C. was supported by ETH Research Grant ETH-30 09-3. K. G. P. and B. P. were supported by a EPSRC Leadership Fellowship EP/H005455/1. This work was partly done while M. F. was at ETH Zurich, supported by ETH Research Grant ETH-30 09-3.

Proof of Theorem 1

The proof structure is similar to the proof of Theorem 2 in [31]. We denote by \(\varLambda \) the session key space associated with protocol \(\varPi \). Since the \({\mathsf {cNR}{ {\text {-}}}{X}}\) security of protocol \(\pi \) is probabilistic polynomial-time reducible to the hardness of the computational problem of some relation \(\phi \), there exists an algorithm A that on input of a problem instance of the computational problem of \(\phi \) and interacting with an adversary E which has non-negligible probability \(\eta \) of winning the \({\mathsf {cNR}{ {\text {-}}}{X}}\) game for \(\pi \) in time \(\tau \) is able to solve the computational problem of \(\phi \) with non-negligible probability \(h(\eta )\) and in time \(v(\tau )\), for some polynomial functions h and v.

By assumption, the session string decisional problem in the \({\mathsf {ASICS}_{Y}}\) experiment for \(\varPi \) is polynomial-time reducible to the decisional problem of \(\phi \). Hence, there is an algorithm W which solves the session string decisional problem for \(\varPi \) in polynomial-time \(\tau ''\) given access to a decisional oracle for \(\phi \).

Let D be an adversary winning the \({\mathsf {ASICS}_{Y}}\) experiment against protocol \(\varPi \) with non-negligible probability \(\eta '\) in time \(\tau '\). Let K denote the event that D does not query H with the session string \(ss^{*}\) of the test session \(s^{*}\). Since \(\varPi \) has strong partnering in the \({\mathsf {ASICS}_{Y}}\) experiment, it holds that, with overwhelming probability, if two sessions compute the same session key, then they must be M-matching. Thus, if event K occurs, then D can only win the experiment with negligible probability \(u(k)+1/|\varLambda |\), where u(k) denotes the probability that D issues a \(\mathsf {session{{ {\text {-}}}}key}\) query to a session s that is not M-matching \(s^{*}\) and \(s_{\mathrm {key}}=s^{*}_{\mathrm {key}}\).

We next define an algorithm B which solves the gap problem of \(\phi \) with non-negligible probability \(h'(\eta ')\) and in time \(v'(\tau ')\), for some polynomial functions \(h'\) and \(v'\), using adversary D as a subroutine. B will also run algorithm A on the problem instance of the computational problem of \(\phi \), and an algorithm L that decides, in polynomial-time \(\tau '''\), whether an arbitrary bitstring \(\mathsf {pk}\) submitted for certification is an element of G. We now define B’s responses to D’s queries for the pre-specified peer setting; the post-specified peer case proceeds similarly. Algorithm B maintains sets of certificates \({\mathcal {C}_h}\) and \({\mathcal {C}_{\mathsf {pk}}}\) as well as lists H-List and G-List, all of which are initially empty.

1.

\(q\in Q\cap \{\mathsf {kgen},\mathsf {randomness},\mathsf {corrupt}\}\): B forwards the query to A and passes A’s response back to D.

2.

\(\mathsf {hregister}(\mathsf {pk},{\hat{P}})\): B forwards the query to A and passes A’s response back to D. In case A returns a certificate C, B adds C to the set \({\mathcal {C}_h}\), i.e., \({\mathcal {C}_h}\leftarrow {\mathcal {C}_h}\cup \{C\}\).

\(\mathsf {send}\left( s,M\right) \): If session s does not exist or if \(s_{\mathrm {status}}\ne {\mathtt {active}}\), then B returns \(\bot \). Else if \(s_{\mathrm {pcert}}\in {\mathcal {C}_{\mathsf {pk}}}\), then B responds to the query by simulating the protocol execution itself. Else B forwards the query to A and passes A’s response (if any) to D.

6.

H query: To answer D’s queries to the random oracle for H, B stores entries of the form \((x_{i},\lambda _{i})\) with \(\lambda _{i}\in \varLambda \) in the H-List. When D makes a query x to the random oracle for H, B determines the return value for D as follows:

If there exists an entry \((x_{i},\lambda _{i})\) in the H-List with \(x_{i}=x\), then return \(\lambda _{i}\).

Else if there is an entry \((s_{\mathrm {acert}}.\mathsf {id},{}s_{\mathrm {acert}}.\mathsf {pk},{}s_{\mathrm {pcert}}.\mathsf {id},{} s_{\mathrm {pcert}}.\mathsf {pk}, \, s_{\mathrm {role}},{}s_{\mathrm {sent}},{}s_{\mathrm {rcvd}},{}\lambda _{i})\) in the G-List, for some session s that has accepted and \(\lambda _{i}\in \varLambda \), such that x is the session string of session s (i.e., \(x=ss\)) using algorithm W, then store the entry \((x,\lambda _{i})\) in the H-List and return \(\lambda _{i}\).

Else if there exists an entry of the form \((x_{i},\lambda _{i})\) in the H-List, where \(x_{i}=ss\) using algorithm W, then B stores the entry \((s_{\mathrm {acert}}.\mathsf {id}, s_{\mathrm {acert}}.\mathsf {pk},s_{\mathrm {pcert}}.\mathsf {id},{}s_{\mathrm {pcert}}.\mathsf {pk},{\mathcal {I}},s_{\mathrm {sent}},{}s_{\mathrm {rcvd}},\lambda _{i})\) in the G-List and returns \(\lambda _{i}\).

B can detect the complementary event \(K^{c}\) by checking which of the entries \((x_{i},\lambda _{i})\) in the H-List has \(x_{i}=ss^{*}\) using algorithm W. B then passes \(x_{i}\) to A. Since the test session \(s^{*}\) must be fresh, no \(\mathsf {pkregister}(s^{*}_{\mathrm {pcert}}.\mathsf {pk},s^{*}_{\mathrm {pcert}}.\mathsf {id})\) occurred in the \({\mathsf {ASICS}_{Y}}\) experiment and hence the certificate \(s^{*}_{\mathrm {pcert}}\) has been output through an \(\mathsf {hregister}(s^{*}_{\mathrm {pcert}}.\mathsf {pk},{}s^{*}_{\mathrm {pcert}}.\mathsf {id})\) query. A solves the computational problem of \(\phi \) with non-negligible probability \(h(\eta )\), where \(\eta =\eta '(1-u(k)-1/|\varLambda |)\). B is successful by outputting A’s solution to the instance of the computational problem of \(\phi \) and solves the gap problem of \(\phi \) with non-negligible probability \(h(\eta )\) and in time \(v(\tau )\), where \(\tau =\tau '+\tau ''n_{H}(n_{\mathsf {session{{ {\text {-}}}}key}}+1)+\tau '''n_{\mathsf {pkregister}}\) with \(n_{H},n_\mathsf {session{{ {\text {-}}}}key}\) and \(n_{\mathsf {pkregister}}\) denoting the number of \(H,\mathsf {session{{ {\text {-}}}}key}\) and \(\mathsf {pkregister}\) queries issued by D, respectively. \(\square \)

Remark 11

We cannot show that Theorem 1 holds for more complex protocols \(\varPi \) such as UM or HMQV-C in arbitrary ASICS base models as the simulation of non-test sessions s of \(\varPi \) with \(s_{\mathrm {pcert}}\) being the result of a \(\mathsf {pkregister}\) query cannot be performed in the appropriate way without the knowledge of long-term secret keys and without violating the freshness condition.

Proof of Theorem 2

Let \(\varPi \) be an ASICS protocol secure in model X. It is straightforward to verify the first condition of Definition 6, that is, that M-matching sessions of protocol \(f(\varPi )\) compute the same session key. This follows from the fact that M-matching sessions of protocol \(\varPi \) compute the same key as protocol \(\varPi \) is secure in ASICS model X. We next verify that the second condition of Definition 6 holds.

Claim If there is a PPT adversary E succeeding in the \({\mathsf {ASICS}_{Y}}\) experiment against protocol \(f(\varPi )\) with non-negligible advantage in time \(\tau '\), then we can construct a PPT adversary \(E'\) succeeding in the \({\mathsf {ASICS}_{X}}\) experiment against protocol \(\varPi \) with non-negligible advantage in time \(v(\tau )\) (for some polynomial function v) using adversary E as a subroutine. Let L be an algorithm that decides, in polynomial-time \(\tau ''\), whether an arbitrary bitstring \(\mathsf {pk}\) submitted for certification is an element of G.

Proof. Fix a PPT adversary E succeeding in the \({\mathsf {ASICS}_{Y}}\) experiment against protocol \(f(\varPi )\) with non-negligible advantage. We define an algorithm \(E'\) which succeeds in the \({\mathsf {ASICS}_{X}}\) experiment against protocol \(\varPi \) with non-negligible advantage using E as a subroutine. Algorithm \(E'\) maintains sets of certificates \({\mathcal {C}_h},{\mathcal {C}_{\mathsf {pk}}}\) and \({\mathcal {C}_{\mathsf {npk}}}\), all of which are initially empty, and answers E’s queries in the pre-specified peer setting as follows.

Appendix 2: Analysis of CMQV

Let \(\mathsf {eCK}'=(\mathsf {M}2,Q',F')\) be the ASICS model where \(Q'=Q\cup \{\mathsf {pkregister}\}\) and \(F'\) is defined as F with the additional requirement that no \(\mathsf {pkregister}(s_{{\mathrm {pcert}}}.\mathsf {pk},s_{{\mathrm {pcert}}}.\mathsf {id})\) query has been issued.

Lemma 1

Let \(\mathsf {eCK}\) and \(\mathsf {eCK}'\) be as above. CMQV has strong partnering in the \({\mathsf {ASICS}_{\mathsf {eCK}'}}\) experiment under the assumption that H is a random oracle.

Proof

Suppose otherwise. Namely, suppose there exists two sessions s and \(s'\) of CMQV that hold the same session key but are not \(\mathsf {M}2\)-matching. Since the session key in CMQV is derived by applying a random oracle, except with negligible probability, the input to the random oracle in both sessions must be the same. Since they are not \(\mathsf {M}2\) matching, either \(s_{{\mathrm {acert}}}.\mathsf {id}\ne s'_{{\mathrm {pcert}}}.\mathsf {id}\), or \(s_{{\mathrm {acert}}}.\mathsf {pk}\ne s'_{{\mathrm {pcert}}}.\mathsf {pk}\), or \(s_{{\mathrm {pcert}}}.\mathsf {id}\ne s'_{{\mathrm {acert}}}.\mathsf {id}\), or \(s_{{\mathrm {pcert}}}.\mathsf {pk}\ne s'_{{\mathrm {acert}}}.pk\), or \(s_{{\mathrm {sent}}} \ne s'_{{\mathrm {rcvd}}}\), or \(s_{{\mathrm {rcvd}}} \ne s'_{{\mathrm {sent}}}\), or \(s_{{\mathrm {role}}} = s'_{{\mathrm {role}}}\).

First suppose \(s_{{\mathrm {role}}} \ne s'_{{\mathrm {role}}}\). Then, either the public keys, identifiers, or transcripts of the two sessions do not correspond. But these are all inputs to the random oracle, so except with negligible probability the outputs of the random oracle will be different, contradicting that the two sessions hold the same session key.

Now suppose \(s_{{\mathrm {role}}} = s'_{{\mathrm {role}}}\). Except with negligible probability, two distinct honest sessions will have \(s_{{\mathrm {rand}}} \ne s'_{{\mathrm {rand}}}\), and hence \(s_{{\mathrm {sent}}} \ne s'_{{\mathrm {sent}}}\). But since both s and \(s'\) think of themselves as the initiator, they will each put their own sent ephemeral public key in the second component of the call to H, and these values are different, so except with negligible probability the outputs of the random oracle will be different, contradicting that the two sessions hold the same key. \(\square \)

Lemma 2

The \({\mathsf {cNR}{ {\text {-}}}{\mathsf {eCK}}}\) security of the variant of CMQV in which the session string is output as the session key is polynomial-time reducible to the computational problem of the Diffie–Hellman relation \(\phi \), under the assumption that \({\mathcal {H}}_{1}\) and \({\mathcal {H}}_{2}\) are random oracles.

The basic idea of the proof is as follows.

If the adversary happens to figure out a long-term secret key without issuing a \(\mathsf {corrupt}\) query (event E), it must ask that value to a random oracle \({\mathcal {H}}_{1}\), and we can immediately use that value to solve the CDH problem by having embedded one of the CDH challenge values in that public key.

If the adversary is passive in the test session (event \(\overline{E} \wedge M\)), we can embed the CDH challenge values U, V as the ephemeral public keys X and Y of the test session. The adversary’s view can be simulated perfectly unless the adversary asks either \((\tilde{x},a)\) or \((\tilde{y},b)\) as a query for \({\mathcal {H}}_1\). But the freshness condition prevents the adversary from finding both elements of either pair. Therefore, the adversary cannot do better than guess the session string unless it can compute \(\sigma \). Here, the CDH of U and V can be extracted from \(\sigma \).

If the adversary is active in the test session (event \(\overline{E} \wedge \overline{M}\)), we can embed the CDH challenge values in the long-term key of the partner of the test session and the ephemeral public key of the session. As before the simulation is perfect unless the adversary asks \((\tilde{x},a)\) as a query for \({\mathcal {H}}_1\). Note that, since the adversary is active, the adversary cannot change or corrupt the secret long-term key of the peer. This time the value of \(\sigma \) is similar to a signature forgery and we can apply the Forking Lemma [3, 39] to extract the CDH of U and V.

Recall further that the goal of the adversary is to recovery the session string; let S be the event that an algorithm \({\mathcal {M}}\) computes the session string. The security proof largely follows the original proof of Ustaoglu that CMQV is eCK-secure, but can be simplified somewhat as the queries in the \({\mathsf {cNR}{ {\text {-}}}{\mathsf {eCK}}}\) game are restricted compared to full eCK security.

Consider the following two complementary events:

E. There exists a certificate \(C'\) (created using \(\mathsf {hregister}\)) such that \({\mathcal {M}}\), during its execution, queries \({\mathcal {H}}_{1}(*, b)\) (where \(C'.\mathsf {pk}= g^{b}\)) before issuing any \(\mathsf {corrupt}(C'.\mathsf {pk})\) query (if it issues one at all).

\(\overline{E}\). During its execution, for every certificate \(C'\) (created using \(\mathsf {hregister}\)) for which \({\mathcal {M}}\) queries \({\mathcal {H}}_{1}(*, b)\) (where \(C'.\mathsf {pk}=g^{b}\)), it issued a \(\mathsf {corrupt}(C'.\mathsf {pk})\) query before the \({\mathcal {H}}_{1}(*, b)\) query.

Since the events are complementary, if \({\mathcal {M}}\) succeeds in computing the session string, it succeeded either when E occurred or when \(\overline{E}\) occurred.

We will see how, when each event occurs, the required polynomial-time reduction exists.

Here, the simulator \({\mathcal {S}}\) guesses one public key \(\mathsf {pk}^{*}\) at random and assigns \(\mathsf {pk}^{*} \leftarrow V\), where (U, V) is the Diffie–Hellman challenge. All other public keys are generated according to the protocol specification.

For all sessions and queries where the session actor is not using \(\mathsf {pk}^{*}, {\mathcal {S}}\) follows the protocol specification exactly.

For sessions where the session actor is using \(\mathsf {pk}^{*}, {\mathcal {S}}\) responds to queries as follows:

\(\mathsf {send}(s=(C, i), M)\) where \(s_{{\mathrm {acert}}}.\mathsf {pk}= \mathsf {pk}^{*}\) and \(s_{{\mathrm {role}}} = {\mathcal {I}}\): \({\mathcal {S}}\) does not need to simulate anything here, since there is not outgoing message required, and since the only variable updated is the session string ss but no \(\mathsf {session{{ {\text {-}}}}key}\) reveal query is allowed.

For sessions where the session actor is using \(\mathsf {pk}^{*}\) and is the responder, \({\mathcal {S}}\) responds to queries as follows:

Note that \({\mathcal {S}}\)’s simulation is perfect up until an abort event from the \(\mathsf {corrupt}\) query occurs. Given that event E occurs, there exists some public key \(\mathsf {pk}=g^{b}\) for which the query \({\mathcal {H}}_{1}(*, b)\) occurs before any \(\mathsf {corrupt}(\mathsf {pk})\) query occurs. With probability at least \(1/n_{\mathsf {kgen}}\), where \(n_{\mathsf {kgen}}\) is the number of \(\mathsf {kgen}\) queries made by \({\mathcal {M}}, {\mathcal {S}}\) this condition holds for \(\mathsf {pk}^{*}\). When \({\mathcal {S}}\) guesses correctly, \({\mathcal {M}}\) will indeed query \({\mathcal {H}}_{1}(*, b)\) before any \(\mathsf {corrupt}(\mathsf {pk}^{*})\) query and thus \({\mathcal {S}}\) will solve the computational Diffie–Hellman problem.

Thus, when event E occurs, there exists a polynomial-time reduction from a \({\mathsf {cNR}{ {\text {-}}}{\mathsf {eCK}}}\) adversary for the session string variant of CMQV to the computational Diffie–Hellman problem under the assumption that \({\mathcal {H}}_{1}\) is a random oracle, with a tightness factor of \(n_{\mathsf {kgen}}\).

Event\(\overline{E}\) We divide this event into two complementary cases:

M. The session s for which the adversary output the session string has an \(\mathsf {M}2\)-matching session \(s'\).

\(\overline{M}\). The session s for which the adversary output the session string does not have an \(\mathsf {M}2\)-matching session.

When \(\overline{E}\) occurs, either M or \(\overline{M}\) must also occur.

Event\(\overline{E} \wedge M\) Suppose event \(\overline{E}\) occurs and there is an \(\mathsf {M}2\)-matching session \(s'\) for the target session s.

Here, the simulator guesses two sessions s and \(s'\); assume without loss of generality that \(s_{{\mathrm {role}}} = {\mathcal {I}}\) and \(s'_{{\mathrm {role}}} = {\mathcal {R}}\). \({\mathcal {S}}\) responds to all \(\mathsf {kgen}, \mathsf {hregister}, \mathsf {corrupt}\), and \(\mathsf {randomness}\) queries as specified by the protocol. For all sessions other than s and \(s', {\mathcal {S}}\) responds to \(\mathsf {create}\) and \(\mathsf {send}\) as specified by the protocol. For s and \(s', {\mathcal {S}}\) responds to \(\mathsf {create}\) and \(\mathsf {send}\) as follows:

\({\mathcal {S}}\) responds to \({\mathcal {H}}_{2}\) queries as normal. \({\mathcal {S}}\) responds to \({\mathcal {H}}_{1}\) queries as normal except for the queries \((\tilde{x}, a)\) or \((\tilde{y}, b)\), where a and b are the secret keys corresponding to the public keys in sessions s and \(s'\); when this occurs, the simulation aborts.

Note that \({\mathcal {S}}\)’s simulation is perfect unless a \({\mathcal {H}}_{1}(\tilde{x}, a)\) or \({\mathcal {H}}_{1}(\tilde{y}, b)\) query occurs. Because of event \(\overline{E}, {\mathcal {M}}\) issues a \(\mathsf {corrupt}(g^{a})\) query before any \({\mathcal {H}}_{1}(\tilde{x}, a)\) query, and a \(\mathsf {corrupt}(g^{b})\) query before any \({\mathcal {H}}_{1}(\tilde{y}, b)\) query. Since \(\tilde{x}\) and \(\tilde{y}\) are used in only one session and \({\mathcal {H}}_{1}\) is a random function, no information can be learned about \(\tilde{x}\) and \(\tilde{y}\) without \(\mathsf {randomness}(s)\) or \(\mathsf {randomness}(s')\) queries. By the freshness condition, it cannot be that both \(\mathsf {randomness}(s)\) and \(\mathsf {corrupt}(g^{a})\) occurred, or that both \(\mathsf {randomness}(s')\) and \(\mathsf {corrupt}(g^{b})\) occurred. Thus, if \({\mathcal {S}}\) correctly guess s and \(s'\), the simulation is perfect and does not abort. This happens with probability at least \(2/n_{\mathsf {create}}^{2}\).

Assuming the simulation is perfect and does not abort and that \({\mathcal {M}}\) outputs the session string, \({\mathcal {S}}\) can use this to solve the Diffie–Hellman problem. In particular, let \(\sigma \) be the shared secret in the session string output by \({\mathcal {M}}\). Then, \({\mathcal {S}}\) outputs \(\sigma g^{-abed}U^{-be}V^{-ad}\) as the solution to the computational Diffie–Hellman challenge (U, V).

Thus, when event \(\overline{E} \wedge M\) occurs, there exists a polynomial-time reduction from a \({\mathsf {cNR}{ {\text {-}}}{\mathsf {eCK}}}\) adversary for the session string variant of CMQV to the computational Diffie–Hellman problem under the assumption that \({\mathcal {H}}_{1}\) is a random oracle, with a tightness factor of \(n_{\mathsf {create}}^{2}\).

Event\(\overline{E} \wedge \overline{M}\) Suppose event \(\overline{E}\) occurs but there is no \(\mathsf {M}2\)-matching session for the target session s.

For the jth query to \(\mathsf {kgen}, {\mathcal {S}}\) assigns \(\mathsf {pk}^{*} \leftarrow V\) from the Diffie–Hellman challenge (U, V) to be the public key; for all other \(\mathsf {kgen}\) queries, it responds as specified by the protocol.

All \(\mathsf {hregister}\) queries are responded to as normal. All \(\mathsf {corrupt}\) queries are responded to as normal, except for \(\mathsf {corrupt}(\mathsf {pk}^{*})\), in which case \({\mathcal {S}}\) aborts.

For all sessions and queries where the session actor or peer is not using \(\mathsf {pk}^{*}, {\mathcal {S}}\) follows the protocol specification exactly.

For sessions where the session actor is using \(\mathsf {pk}^{*}, {\mathcal {S}}\) responds as in event E.

For sessions where the session peer is using \(\mathsf {pk}^{*}, {\mathcal {S}}\) responds as specified by the protocol, except for the target session \(s^{*}\). In \(s^{*}, {\mathcal {S}}\) responds as follows:

Note that \({\mathcal {S}}\)’s simulation is perfect up until an abort event from the \(\mathsf {corrupt}\) or the \({\mathcal {H}}_{2}\) query occurs. Given that \(s^{*}\) is fresh and no matching session exists, no \(\mathsf {corrupt}(s^{*})\) query is allowed and hence \({\mathcal {S}}\) does not abort for that reason. Given that event \(\overline{E}\) occurs, if \({\mathcal {M}}\) queries \({\mathcal {H}}_{1}(s^{*}_{{\mathrm {rand}}}, a)\) such that \(g^{a} = s^{*}_{{\mathrm {acert}}}.\mathsf {pk}, {\mathcal {M}}\) must have issued a \(\mathsf {corrupt}(g^{a})\) query first. But it is also the case that \(s^{*}\) is fresh, so \({\mathcal {M}}\) cannot have also issued a \(\mathsf {randomness}(s^{*})\) query, and thus cannot know \(s^{*}_{{\mathrm {rand}}}\) unless it guessed it correctly, which can be done only with negligible probability.

Assume the simulation is perfect and does not abort, and that \({\mathcal {M}}\) outputs the session string containing the correct shared secret \(\sigma = g^{uy}g^{ady}g^{uve}g^{adev}\). \({\mathcal {S}}\) can then compute \(\eta = \sigma Y^{-ad}V^{-ade} = g^{uy+uve}\). But the peer’s ephemeral secret key y was chosen by the adversary, so without \(y \, {\mathcal {S}}\) cannot directly compute \(g^{uv}\) from \(\eta \).

Using the Forking Lemma, \({\mathcal {S}}\) runs \({\mathcal {M}}\) on the same input and the same random coins but with modified answers to \({\mathcal {H}}_{2}\) queries. Note that \({\mathcal {M}}\) must have queried \({\mathcal {H}}_{2}(Y, s^{*}_{{\mathrm {acert}}}.\mathsf {id}, s^{*}_{{\mathrm {pcert}}}.\mathsf {id})\) to obtain e, because otherwise \({\mathcal {M}}\) would be unable to compute \(\sigma \) except with negligible probability. For the second run of \({\mathcal {M}}, {\mathcal {S}}\) responds to \({\mathcal {H}}_{2}(Y, s^{*}_{{\mathrm {acert}}}.\mathsf {id}, s^{*}_{{\mathrm {pcert}}}.\mathsf {id})\) with \(e' \ne e\) selected uniformly at random.

which is the solution to the computational Diffie–Hellman challenge (U, V).

Thus, when event \(\overline{E} \wedge \overline{M}\) occurs, there exists a polynomial-time reduction from a \({\mathsf {cNR}{ {\text {-}}}{\mathsf {eCK}}}\) adversary for the session string variant of CMQV to the computational Diffie–Hellman problem under the assumption that \({\mathcal {H}}_{1}\) and \({\mathcal {H}}_{2}\) are random oracles, with a tightness factor of \(n_{\mathsf {create}} n_{\mathsf {kgen}} n_{{\mathcal {H}}_{2}} c\), where c is a constant from the Forking Lemma. \(\square \)

Remark 12

Because in the above lemma we do not have to prove full session key indistinguishability security of CMQV, instead proving the hardness of session string computation of a variant of CMQV, we can make a few simplifications from Ustaoglu’s original proof:

We do not have to worry about key replication attacks (when the adversary causes two non-matching sessions to have the same session key (that is, session string), and then reveals the session key at one of the sessions) because there is no \(\mathsf {session{{ {\text {-}}}}key}\) query.

In event E, we do not have to worry about setting the session string correctly for any session involving the user whose public key has been injected with the CDH challenge, because there is no \(\mathsf {session{{ {\text {-}}}}key}\) query. Thus we do not need a DDH oracle here.

In event \(\overline{E} \wedge M\), we do not have to use the DDH oracle to test which of the many \({\mathcal {H}}\) random oracle queries is the solution we need: we simply output the CDH value derived directly from the output of \({\mathcal {M}}\).

Lemma 3

The session string decision problem for CMQV is poly-time reducible to the decisional problem of the Diffie–Hellman relation \(\phi \).

Note that in each of the above cases, if (U, V, W) is a real Diffie–Hellman triple, then D is run on a real CMQV session string, whereas if (U, V, W) is a random triple, then D is run on a random session string. Thus, if D is a distinguisher for CMQV session strings, then E is a distinguisher for the Diffie–Hellman relation. \(\square \)